Microsoft will release eight bulletins next week, including three critical-rated patches for vulnerabilities in Internet Explorer and Microsoft Windows.
Tyler Reguly, technical manager of IT security research and development at Tripwire, said: “It’s a pretty typical patch Tuesday, Internet Explorer, Windows, and Office patches. This month shows that new Microsoft software isn’t immune to flaws — Office 2013, IE 11, and Windows 8.1 will all receive patches on Tuesday.”
Wolfgang Kandek, CTO of Qualys, said that the focus should be on patching the critical update for Internet Explorer. “Addressing browser vulnerabilities on a fast schedule has become increasingly important as more and more of our time online is spent accessing the Internet and running applications through the browser, he said.
“All of the critical bulletins and one of the important bulletins result in a remote code execution and should be prioritised higher. The rest of the important bulletins result in the elevation of privileges or a denial of service condition.”
Ross Barrett, senior manager security engineering at Rapid7, said: “For the first time in a few months, this is a relatively straightforward Patch Tuesday, with fixes for most Windows versions, the ever-present IE roll up patch, and some Office components, but nothing esoteric or difficult to patch. No SharePoint plug-ins, no complicated .NET patching, no esoteric office extensions.
“Of this month’s advisories, the three critical are bulletins 1, 2, and 3, which affect IE and most Windows versions. Bulletin 2 affects all supported Windows versions and requires a restart, so it’s definitely a common and loaded component. All of these will be top patching priorities. Beyond that, bulletins 4 and 5 allow remote code execution and elevation of privilege respectively, but are not listed as critical and are probably thought to be harder to exploit than some others. Bulletins 6, 7, and 8 are information disclosure and denial of service, so if organisations have to choose, these are lower priority.”
However the current zero-day vulnerability in Office will not be patched this time. Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, said that it was only aware of targeted attacks against Office 2007 where Windows XP was used.
Kandek said: “The zero-day is detailed in security advisory
KB2896666 as a vulnerability in the TIFF graphics format parser and informs that it is seeing limited attacks in the Middle East and South Asia. The observed attacks are through Microsoft Word documents and the vulnerability is present in Microsoft Office 2003, 2007 and 2010. Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis.”